mirror of https://github.com/Safe3/uuWAF
securityapi-gatewayapi-securityapplication-securitymodsecuritywaapwafweb-application-firewallweb-security-gateway
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
2.0 KiB
86 lines
2.0 KiB
--- |
|
--- Generated by UUSEC(https://www.uusec.com/) |
|
--- Created by Safe3. |
|
--- DateTime: 2024/7/25 11:11 |
|
--- |
|
--[[ |
|
/uuwaf/conf/uuwaf.conf |
|
resolver 1.1.1.1 valid=30s ipv6=off; |
|
lua_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt; |
|
--]] |
|
local ngx = ngx |
|
local ngx_exit = ngx.exit |
|
local ngx_log = ngx.log |
|
local ngx_err = ngx.ERR |
|
local ngx_today = ngx.today |
|
local ngx_kv = ngx.shared |
|
local http = require("resty.http") |
|
local ipmatcher = require("resty.ipmatcher") |
|
local resty_lock = require("resty.lock") |
|
local util = require("waf.util") |
|
|
|
local _M = { |
|
version = 0.1, |
|
name = "ip-intelligence" |
|
} |
|
|
|
local matcher, today |
|
|
|
local function init_matcher() |
|
local http_client = http.new() |
|
local res, err = http_client:request_uri("https://waf.uusec.com/ip-intelligence-feed.json") |
|
if not res then |
|
ngx_log(ngx_err, "get ip intelligence failed: ", err) |
|
return |
|
end |
|
res, err = util.jsonDecode(res.body) |
|
if not res then |
|
ngx_log(ngx_err, "decode ip intelligence feed failed: ", err) |
|
return |
|
end |
|
matcher = ipmatcher.new_with_value(res) |
|
end |
|
|
|
function _M.req_post_filter(waf) |
|
local lock, err, ok |
|
|
|
if (not today) or today ~= ngx_today() then |
|
matcher = nil |
|
today = ngx_today() |
|
end |
|
|
|
if not matcher then |
|
lock, err = resty_lock:new("lock") |
|
if not lock then |
|
ngx_log(ngx_err, "create ip_threat_lock failed: ", err) |
|
return nil |
|
end |
|
|
|
ok, err = lock:lock("ip_threat_lock") |
|
if not ok then |
|
return |
|
end |
|
|
|
if not matcher then |
|
init_matcher() |
|
end |
|
|
|
ok, err = lock:unlock() |
|
if not ok then |
|
ngx_log(ngx_err, "unlock ip_threat_lock failed: ", err) |
|
end |
|
end |
|
|
|
if matcher then |
|
local level = matcher:match(waf.ip) |
|
if level then |
|
waf.msg = "ip threat level: " .. level |
|
waf.rule_id = 10000 |
|
waf.deny = true |
|
ngx_kv.ipBlock:incr(waf.ip, 1, 0) |
|
return ngx_exit(403) |
|
end |
|
end |
|
end |
|
|
|
return _M |